In the News

Apple CEO Tim Cook has been vocal about the need for federal privacy legislation. But as discussions begin at both the state and federal level, Apple has backed off. Despite declarations that “privacy is a fundamental human right,” Apple has failed to support any privacy legislation. In fact, the tech giant has backed industry groups that actively lobby against such legislation. Professor Paul Schwartz thinks that “the states will influence privacy legislation.”

American tech firms are beginning to look to Europe for guidance on regulating their technology. Leaders from Apple, Facebook, Salesforce, and other companies have all stated that the US should follow Europe’s lead in some way. “It’s really quite noticeable…” said Professor Paul Schwartz. “Think about French ideas of liberty and freedom jumping over the Atlantic and influencing the American Revolution.” The EU’s most recent regulation, the General Data Protection Regulation (GDPR), came into effect last year and has directly influenced legislation passed in California, Brazil, Thailand, and Japan. As the US grapples with implementing a regulatory scheme, many experts believe EU regulations could provide a valuable guide–though the the ultimate results of the GDPR remain to be seen.

Spain’s top soccer league, La Liga, was fined €250,000 ($280,000) by the country’s data protection agency for monitoring its Android app users’ microphones and locations without proper approval. The feature was designed to imperceptibly identify bars playing league games by obtaining geographic information to check whether the establishment had paid to license the content or was showing it illegally. According to Berkeley Law professor Paul Schwartz, such a tactic would be met with similar rebuke in the U.S. Regardless of what is in the fine print, Professor Schwartz stated that if an analysis found the behavior to be outside the bounds of user expectations, the Federal Trade Commission maintains the power to rule the practice deceptive and/or unfair.

Verizon is bribing people into giving up their privacy through their rewards program called Verizon Up. The reward credits can be used to “get exclusive access to prime sporting events, shows, concerns, and live experiences.” But consumers may not realize how much personal information and behavioral data they are giving up just to get their hands on a fast freebie. “All sorts of companies—Google, Facebook— are already in the data collection business,” said Paul Schwartz, a law professor at UC Berkeley and co-director of the Berkeley Center of Law and Technology. “Now we’re seeing older companies—cable companies, cellular companies—placing a great emphasis on it,” he said.

On March 20th, the U.S. Transportation Safety Administration (TSA) rushed out a “confidential” ban that prohibits laptops, iPads, and other electronics “larger than a cellphone” on flights coming from 10 airports in the Middle East. The ban has been sharply criticized by technology experts who questioned both its purpose and effectiveness. As noted by Professor Paul Schwartz, “terrorists have cells throughout the entire world.” As an example, the hijackers responsible for 9/11 had a cell in Hamburg, Germany. Thus, “[o]ne potential problem with this approach where you single out countries is that you ignore the extent to which the terrorist threat is kind of state-less.”

The year 2016 witnessed a dramatic expansion of privacy regulations from federal agencies, foreign countries, and state governments. The increase has led to an almost unmanageable amount of information. As stated by Professor Paul Schwartz, a special adviser at Paul Hastings LLP and the Jefferson E. Peyser Professor at UC Berkeley School of Law, “I don’t know how we can keep up at this pace. For those of us who practice and teach in this field, it’s almost scary.” In particular, the invalidation of the U.S.-EU Safe Harbor Framework by the EU Court of Justice forced the United States and the European Union to scramble to create the replacement Privacy Shield, which requires that companies have agreements with third party contractors with whom they share data. A recent update to HIPAA, the Health Insurance Portability and Accountability Act, similarly requires companies to rewrite contracts with third party contractors.

Music star Kanye West may have broken California law by secretly recording a phone call with pop star Taylor Swift. California law requires “two-party consent,” meaning that it is a crime to record any form of communication without the consent of all involved parties. West could thus be facing both civil and criminal liability if it turns out that he secretly recorded the call. While criminal prosecution is unlikely, Swift could bring a tort claim for damage to her reputation. As explained by Professor Paul Schwartz, co-director of the Berkeley Center for Law and Technology and a professor at the University of California, Berkeley, School of Law, Swift could also bring a tort claim based on West’s “public disclosure of private facts.”

Last week the European Parliament approved the proposed general data protection regulation, or GPDR, which will supplant Europe’s current data protection framework. The GDPR is a uniform regime that increases restrictions and provides national privacy regulators with the authority to fine companies up to either 4 percent of a company’s annual global revenue or $22.2 million. Because the regulation increases the burden on multinational companies, most businesses will have to establish new guidelines for working with EU customers. As explained by Professor Paul Schwartz, a special adviser at Paul Hastings LLP and a professor at the University of California, Berkeley, School of Law, “To some extent, U.S. companies welcome the GDPR because they feel that it offers greater harmonization, but there are national differences and differences between the various national data protection authorities that are not going to go away.”

On April 13th the Article 29 Working Party, composed of Europe’s data protection regulators, sharply criticized the draft US-EU “Privacy Shield” framework as insufficient to uphold EU law and limit the collection of data by US companies. As a result, attorneys may advise clients to employ different mechanisms to abide by EU law. Although the working party’s opinion is non-binding on the European Commission, it has important political ramifications ahead of decisions by EU member states on whether to approve the deal. As explained by Paul Schwartz, a Special Advisor at Paul Hastings LLP and a professor at the University of California, Berkeley, School of Law, the opinion “puts down a marker” by which the EU Court of Justice can evaluate the new framework.

Despite the FBI’s insistence that it needed Apple’s help to unlock an iPhone used by one of the suspects in the San Bernardino shooting, the government has now confirmed that it found a way to break into the phone without Apple’s assistance. While this particular fight may be over, the outcome may weaken the government’s argument in future disputes that it requires assistance from a third party technology company. In addition, the publicity surrounding the debate will likely incentive these companies to further bolster their security. As explained by Professor Paul Schwartz, a Special Advisor at Paul Hastings LLP and a professor at the University of California, Berkeley, School of Law, “A takeaway for Internet service providers and tech companies is that the government is going to be coming for us, so we need to continue to make our protections even stronger.”

U.S. Magistrate Judge Judge James Ornstein ruled on Monday that Apple does not have to help the government unlock a drug dealer’s iPhone. The New York order undermines the government’s position in a separate California case, in which prosecutors are arguing that their request for access to the suspected San Bernardino shooter’s phone is an isolated incident. As explained by Paul Schwartz, a Special Advisor at Paul Hastings LLP and a professor at the University of California, Berkeley, School of Law, “While the New York order is not directly binding outside this particular case, it does boost Apple because it undercuts the government’s argument that what is being requested in the San Bernardino case is minimal and unique by showing that these types of requests are being made all over the country.”

Paul Hastings special adviser Paul Schwartz, a law professor at UC-Berkeley, said the proposed Privacy Shield, when taken together with another soon to be adopted data-privacy regulation, signals a new mode of thinking for European enforcement. That law, the General Data Protection Regulation, exposes companies to high fines for violations. According to the new law, a company could be fined either 2 million euros or 4 percent of their global revenue for infractions. For Alphabet, Google’s new corporate parent, a 4 percent fine could approach $3 billion based on the earnings figures it posted Feb. 1. “If that’s their new model,” Schwartz said, “people are going to have to take this much more seriously.”

Volkswagen has refused to give emails or other executive communications to attorneys general in the United States on the basis of German privacy laws. The delay is impeding American investigators trying to determine the extent of the company’s emissions-cheating scandal. Germany has stricter privacy laws than the United States, including its Federal Data Protection Act, which limits access to data, particularly outside the European Union. “In the E.U., data protection is a fundamental right that is in the European Charter,” said Paul M. Schwartz, a law professor at the University of California, Berkeley and co-director of its Center for Law & Technology. The German federal constitutional court has also identified a right to “informational self-determination,” he said. Such laws are “real obstacles,” he said, adding, “Europeans really take privacy seriously.”

2015 brought an increase in both the influence and complexity of privacy and cybersecurity law. While the Safe Harbor decision created confusion abroad, the national regulatory picture became a little clearer. The Federal Communications Commission took steps to establish itself as a privacy regulator alongside the Federal Trade Commission. Paul M. Schwartz, a law professor and director of the Berkeley Center for Law and Technology, said the FCC actually established itself as a more aggressive regulator than the FTC, even though it has a shorter track record addressing privacy issues. “The FCC has already announced greater fines over the last two years than the FTC has done in however many years,” he said, pointing specifically to a $25 million settlement that AT&T Inc. agreed to in April.

Professor Paul Schwartz is leading one of the American Law Institute’s signature initiatives as co-reporter of the Principles of the Law, Data Privacy project. Schwartz and his colleagues have crafted a set of fourteen principles to help manage the “risks and rewards” of information privacy in the 21st century. The position gives Schwartz the opportunity to take the lead role in bringing “greater order and consistency” to privacy law, a field “that now interests everyone.”

Paul Schwartz, co-director of the Berkeley Center for Law & Technology and a special adviser to Paul Hastings LLP, discussed how the increasing rate of cybercrime aimed at banks is creating an uptick in business for attorneys who advise financial institutions on their online fraud prevention programs. Inadequate security protocols in financial services apps can lead to major liability for both technology companies and the financial institutions who work with them. Schwartz noted, “there’s all kinds of increasing regulation where the government has said ‘part of your job is to monitor your vendors very carefully and find out if they’re holding up their obligations to protect security.'”